Skip to main content
CVE Vulnerability Database

CVE-2025-8370: Portabilis i-Educar XSS Vulnerability

CVE-2025-8370 is a cross-site scripting flaw in Portabilis i-Educar 2.9 affecting the educar_escolaridade_lst.php file. Attackers can exploit this remotely via the descricao parameter. This article covers technical details, affected versions, impact assessment, and mitigation strategies.

Published:

CVE-2025-8370 Overview

CVE-2025-8370 is a reflected cross-site scripting (XSS) vulnerability in Portabilis i-Educar 2.9, an open-source school management platform used by educational institutions. The flaw exists in /intranet/educar_escolaridade_lst.php, where the descricao parameter is reflected into the response without adequate output encoding. An unauthenticated attacker can craft a URL containing malicious JavaScript and trick a user into clicking it, causing script execution in the victim's browser session. The vendor was contacted about this issue but did not respond, and the exploit has been publicly disclosed.

Critical Impact

Attackers can execute arbitrary JavaScript in a victim's browser context, enabling session token theft, credential harvesting via injected forms, and unauthorized actions against the i-Educar application.

Affected Products

  • Portabilis i-Educar 2.9.0
  • Component: /intranet/educar_escolaridade_lst.php
  • Vulnerable parameter: descricao

Discovery Timeline

  • 2025-07-31 - CVE-2025-8370 published to NVD
  • 2026-06-17 - Last updated in NVD database

Technical Details for CVE-2025-8370

Vulnerability Analysis

The vulnerability is a reflected cross-site scripting (XSS) issue classified under [CWE-79] Improper Neutralization of Input During Web Page Generation. The educar_escolaridade_lst.php endpoint accepts a descricao query parameter and includes its value in the rendered HTML response without applying context-aware output encoding.

Because the injected content is echoed back inside the HTML body, an attacker-supplied payload containing <script> tags or event-handler attributes executes when the response loads in the victim's browser. Exploitation requires user interaction, typically clicking a crafted link, which aligns with the CVSS 4.0 vector indicating passive user interaction (UI:P) and no privileges required (PR:N).

The practical impact is limited to integrity within the browser context. An attacker can steal session cookies, perform actions on behalf of an authenticated user, or render fake login prompts to capture credentials for the school management system.

Root Cause

The root cause is missing input sanitization and output encoding on the descricao parameter within educar_escolaridade_lst.php. User-supplied data flows directly from the HTTP request into the HTML response without HTML entity encoding, allowing script content to be interpreted by the browser rather than displayed as text.

Attack Vector

Exploitation is network-based and requires the victim to visit an attacker-controlled link. The attacker crafts a URL of the form /intranet/educar_escolaridade_lst.php?descricao=<payload> and delivers it through phishing email, chat, or an embedded link on an attacker-controlled site. When an authenticated i-Educar user clicks the link, the payload executes in the context of the i-Educar origin.

See the public technical write-up in the GitHub Reflected XSS Report and the GitHub CVE-2025-8370 Details for the disclosed proof of concept.

Detection Methods for CVE-2025-8370

Indicators of Compromise

  • HTTP requests to /intranet/educar_escolaridade_lst.php containing descricao values with <script>, onerror=, onload=, or javascript: substrings.
  • Unusual outbound requests from user browsers to attacker-controlled domains immediately after visiting i-Educar URLs.
  • Web server access logs showing URL-encoded HTML characters (%3Cscript%3E, %3Cimg) in the descricao query parameter.

Detection Strategies

  • Deploy a web application firewall (WAF) rule that inspects the descricao parameter for HTML tags and JavaScript event handlers.
  • Enable server-side request logging with full query strings for the /intranet/ path to support retrospective analysis.
  • Correlate authentication anomalies, such as new user-agents or session reuse from unexpected IPs, with prior visits to educar_escolaridade_lst.php.

Monitoring Recommendations

  • Alert on any HTTP 200 response from educar_escolaridade_lst.php where the request query string contains reflected script markers.
  • Monitor Content-Security-Policy violation reports if CSP is deployed in report-only or enforcement mode.
  • Track user session activity for privilege changes or bulk data exports that follow suspicious link clicks.

How to Mitigate CVE-2025-8370

Immediate Actions Required

  • Restrict access to the /intranet/ path so that only authenticated users on trusted networks can reach educar_escolaridade_lst.php.
  • Deploy WAF signatures that block requests containing script tags or JavaScript event handlers in the descricao parameter.
  • Educate administrative users to avoid clicking unsolicited i-Educar links and to report suspicious URLs.

Patch Information

As of the last NVD update on 2026-06-17, no vendor patch has been published. The vendor did not respond to disclosure attempts according to the VulDB #318342 entry. Administrators should track the Portabilis i-Educar repository for community fixes and apply HTML entity encoding to the descricao output as a source-level workaround.

Workarounds

  • Apply HTML entity encoding to the descricao variable before rendering in educar_escolaridade_lst.php, for example using htmlspecialchars($descricao, ENT_QUOTES, 'UTF-8').
  • Add a strict Content-Security-Policy header that disallows inline scripts (script-src 'self') to reduce impact of reflected payloads.
  • Set the HttpOnly and Secure flags on session cookies to limit token theft via injected JavaScript.

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.